Posted
by
Soulskillon Friday January 23, 2009 @11:08PM
from the but-they're-so-friendly dept.

netizen writes "CircleID is reporting a large-scale DDoS attack affecting all of Network Solutions' name servers for the past 48 hours, potentially affecting millions of websites and emails around the world hosting their domain names on the company's servers. The NANOG mailing list indicates that it is due to a very large-scale UDP/53 DDoS which Network Solutions has also confirmed: 'There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack. We are taking measures to mitigate the attack and speed up queries.""

Many (inexperienced) linux admins like to reboot their boxen too remember

I've seen many times when issues required a reboot of a *nix machine.

The latest one I'm dealing with is a machine that completely drops off the network (no pings, etc.). Restarting services has no effect, so we suspect it is hardware, but that doesn't make a lot of sense, because the obvious culprit (the network cards) have physical redundancy and pass all diagnostics. We've also swapped out cards, but still see the same thing. The next step is to move to a card that uses a different driver, but that's s

I had a consulting business for about fifteen years... yeah, it's do-or-die all right. But as my father used to say (he ran several engineering and consulting businesses in his life) "it's the life if you can handle it."

Yes and no. I know what you're saying, and generally speaking you're entirely correct. On the other hand, there's a distinct lack of employment stability in the tech world right now. I might add that there are a lot of people who like it that way (mostly upper management types.) Decent benefits are on the way out, job security is a thing of the past: really, few of us are comfortable with our corporate futures.

So yes, you may have a job... but for how long? At least my father (and I, once I followed in

NSI originally operated the.com/net/org/edu registry and was the sole registrar; after they started allowing competing registrars, Verisign bought NSI, then Verisign spun off NSI as a registrar but kept the registry. NSI now competes on even footing with other registrars (except NSI's customer base dates back to before competition existed).

Here is a update that we posted on the Network Solutions Blog (http://cli.gs/GEWSs0) : DNS queries for web sites should be responding normally. Thank you all for your understanding. As always, we will continue to work to take measures to prevent these and other types of technical issues caused by third parties that may impact our customers.
Thanks,
ShashiB

Thanks for informing us on your blog. However, it's a little bit too little too late. We were trying to track down the problem with our network services for a while yesterday before we clued in that it was an NS problem and had to call to verify. How about some way of directly notifying your customers immediately when there are problems like this? A low-volume notification-only mailing list? A more filtered blog? No I'm not interested in reading about "Solutions Out Loud Podcast Episode #6 - âoeThe Ina

I thought such attacks were a thing of the past. I am disappointed. But on a serious note, is there a way to completely "immunize" oneself against such attacks? If so, where is the howto?

tl;dr: no.

You can do quite a bit to reduce the risk and react well to the situation, but as long as you're on the internet and there are botnets, DDOS is possible. It might even look like too much "normal" traffic. Given this is a DNS attack based on DNS traffic, its quite possible the only reason they know its a DDOS is

Ummmm... no. Arbor products examine flow from routers (or from packet captures) to give you an overview of your network traffic and catch anomalies. So it can tell you that you're being DDOS'd, but it can't do anything about it. I do like their products though - all the services on their appliances are written in Python!

*spoiler alert* - but if you haven't read these books yet, you're either very young, or not a geek.
Wintermute was trying to overcome his programming, which was keeping him and Neuromancer separate. I believe. It's been a long while since I read the books.

You might be getting old, but reporting malicious attacks like the weather is a good thing. Some will get tired of it, but the good thing is that perhaps the average joe public user will become aware of how vulnerable their on-line experience and computer are. Fighting DDoS attacks has been done successfully, but it takes a lot of work, and a lot of hardware. There are a couple of stories on the Internet about such.

I was just thinking yesterday about how the humble virus had grown. I was wowing over the Amiga 500 my friend's older brother had bought (with his very own money!), when said older brother caught us creeping around in his room.

But instead of tossing us out like the brats we were, he came in and fired it up to show it off to us in a casual display of older-geek coolness I was deeply impressed by. The guy was hard core, heading off to study at MIT in a few months time. The best I'd ever done for geek-cred

Except that that source IP address doesn't look like a Network Solutions address to me.

Is it possible that there is a DDoS technique where the source IP addresses on DNS packets to 3rd party DNS servers are spoofed so as to generate the appearance of an attack from a different source? I guess that's what they're saying. But it doesn't seem to multiply the power of an attack much. They just get 17 bytes of DNS response from each 17 byte request.

I saw a whole bunch of requests that my DNS server was rejecting. I think for your computer to have been part of the problem it needed to allow recursive DNS queries for the public. I was watching my logs and banned the IP's when I saw them.

I was getting a lot of messages that looked like named[2476]: client xx.xx.xx.xx#22707: view external: query (cache) './NS/IN' denied

Don't block the requests, the requester IP is spoofed so that DNS servers which respond with root hints forward them to the innocent party, causing DoS. Vlocking the IP just blocks the innocent party's DNS servers. Just make sure that you don't respond external recusive queries.

It's a spoof. The attacker sends requests to lots of different nameservers with a spoofed return address. Those servers respond to that address as normal. The target suddenly gets a lot of DNS traffic from all over the place. Instant amplification attack.

(Gross simplification, but it's late and someone else can explain the details.)

Indeed, this doesn't seem to have any connection to the Network Solutions problem. It looks like another DDoS attack that just happens to be taking place at the same time. There may be some devious connection between the two, but nobody seems to be making that case.

(And of course nothing is "originating from isprime" -- those source addresses are forged.)

Exactly. The attacker spoofs UDP DNS queries and sends them to third-party DNS servers. They respond to the spoofed, victim's nameservers. The idea is that the attacker sends a small packet which induces a large response ('amplification') from the third party to the victim.

Incidentally when did Network Solutions change their name to "IsPrime"?

Now correct me if I'm wrong, but if the mafiaa's legal theory on "making available" is right, doesn't that mean that any company which makes available software which is easy to turn into a DoS zombie should be held liable. And the people who let their computers become zombies should be held liable for making their machines available to become zombies.Not only that, those made-available computers actually _are_ exploited for evil acts.

So aren't the purveyors of dodgy software liable for damage caused by DDoS

Except that in many jurisdictions the criminal activity of others cuts off liability.
IE if Microsoft provides software, and someone else exploits it, the criminal activity of the third party cuts off liability to Microsoft.

Second, just because you can use some of the same words does not mean that your armchair legal theory has anything to do with their legal theory. That said, it is equally correct (which is a nice way of saying wrong).

I think it is still an interesting question to consider if there is any liability to Microsoft for damage caused by a virus hosted on their OS.

My instinct is that there isn't, as it is perfectly possible to run Windows virus-free, with varying levels of difficulty. Also, in this case Microsoft made a patch available, so the OS as provided by Microsoft is immune to the attack.

I moved a domain from netsol in January and let me tell you it was like pulling teeth. The non-existent control panel button, the "security" which secures them against you, the sales rep on the phone who passes you on, each person initiating a new sales pitch... only got them to move at all by threatening to report them. I used them for 10 years and knew they were tough to like but never again. FWIW Mom uses GoDaddy, and for hosting I like linode.com or anybody else.

The only obvious reason to DDoS a bunch of DNS servers is if you're going to be doing some cache poisoning and mounting a massive MITM attack, and if you're lucky you recently obtained a trusted intermediate CA via an MD5 collision attack on a lousy root CA like RapidSSL.

Has anyone bothered to petition Mozilla to remove all the offending root CAs with the weakness shown in MD5 considered harmful today [win.tue.nl]?